E-Authentication waits for rest of the pack

'The gateway has to come up with some assurance levels based on risks of e-gov initiatives,'

'GSA's Steve Timchak

Olivier Douliery

E-authentication is Quicksilver's linchpin. 'It makes everything work and is absolutely critical.'

'GSA's G. Martin Wagner

Henrik G. DeGyor

Technically, e-Authentication is ready'and waiting.

The government has had a working prototype of the online certificate authentication gateway for several months.

Now the initiative's leaders at the General Services Administration await the completion of the other 24 Quicksilver e-government initiatives and for the Office of Management and Budget to set security policies.

'The gateway has to come up with some assurance levels based on risks of e-gov initiatives,' said Steve Timchak, program executive for e-Authentication in GSA's Office of Governmentwide Policy. OMB is supposed to develop those policies, he said.

As agencies work on their e-government projects this year, OGP is developing a written taxonomy that will establish a process by which credential providers such as smart-card developers, biometric systems providers and certificate authorities can link to the gateway.

The classifications will define the 'levels of applications that require different levels of authentication,' G. Martin Wagner, associate administrator for the policy office.

E-Authentication is the linchpin of the Quicksilver initiatives, Wagner said. 'It makes everything work and is absolutely critical,' he said.

Because the gateway is scheduled for launch this fall, it will run with or without a completed set of rules and policies, said David Temoshok, director for identity policy and management in the policy office.

The GSA team plans to link about a dozen e-government applications to the gateway this year.

OMB is guiding agencies on the level of authentication for their e-government initiatives. Some will choose to secure their transactions with digital certificates within a public-key infrastructure.

Agencies will have to analyze the costs, risks and potential benefits of the authentication level they are considering, Temoshok said. Surfing the Internet requires few security measures; getting government-issued identification could require something stronger, such as a digital certificate.

OMB will create the common policies, protocols and rules for all initiatives that connect to the gateway.

'The gateway will interface with the bridge and validate PKI credentials,' Timchak said.

A visitor goes through firstgov.gov or to an application via an agency's URL, presents some form of credential to use an agency initiative, and that information would pass back to the gateway for validation, he said.

Cross that bridge

Digital certificates would go through the Federal Bridge to a certification authority for validation.

Now, the prototype manages access to the National Finance Center's time-and-attendance and payroll reporting systems. Mitretek Systems Inc., a nonprofit research organization in Falls Church, Va., is hosting the prototype for the Agriculture Department organization's system, which handles payroll services for many government agencies.

But the gateway isn't yet ready to handle full-scale traffic from e-government initiatives.It's up to the managers of the other Quicksilver projects to catch up and use the gateway, Temoshok said.

'We're looking for applications to link to the gateway,' he said. 'We have not done scalability' testing.